It seems to me unfair and misleading to call this a "flaw" in Firefox et
al. In fact, the browsers are just following the standard (whose standard
is this? I can never keep track of the alphabet soup of standards
organizations) and enabling IDNs--which people must be wanting browsers to
support, right? It's hardly the browser's fault if the *standard* is itself
subject to these shenanigans.
The simplest solution is just to pitch IDNs entirely. Is that what people
actually want?? And even that still leaves problems with micros0ft.com and
goog1e.com and such games. I thought when this was last discussed, people
were saying that the registries should perform such checks and not permit
"too-close" domain names. That does seem like something of a burden for the
registry; can they be expected to catch them all?
The different-colors-for-different-blocks plan seems like a good start. A
warning that there *is* punycode happening is probably a good plan too,
which I had not thought of.
But to say this is a "flaw" that IE doesn't have is misrepresenting the
situation. It's a feature based on an inherently risky standard that IE
doesn't support.
~mark
John Burger wrote:
>Frank Yung-Fong Tang wrote:
>
>>Any one have any comment about
>>https://bugzilla.mozilla.org/show_bug.cgi?id=279099
>
>
>Here's a popular press description of the problem
>
>http://www.macworld.com/news/2005/02/08/spoof/index.php
>
>which points to a test for it at Secunia.com. (They registered paypal.com
>spelled with a Cyrillic "a".) Ironically, IE doesn't fall for the spoof,
>because it apparently doesn't handle IDNs. Of course, from a user
>interface perspective, browsers need to do something about this, but I
>find it annoying that it's described as a "security flaw". My browser
>doesn't warn me about g00g1e.com yet, either.
>
>- John D. Burger
>MITRE
>